Hey guys, here’s Joao Botto again. You may already know that I spend most of my time helping customers be safe and productive with Windows 8.1. Some of you may also have seen my name associated with Device Deployment – specifically Surface Pro. So here’s a post that discusses pre-boot recommendations for encrypted tablets.
“To PIN or not To PIN, that is the question”
The primary usage of the TPM chip with Bitlocker is to handle the keys that unlock the drive and to verify that the hardware hasn’t changed. If you move a hard disk encrypted with Bitlocker to any other machine (even if it’s the same hardware model) you will be prompted for the recovery key before you boot – this is the TPM chip protecting your data.
One of the most common questions – or rather statements - I get when discussing encryption is that having a pre-boot authentication (aka Bitlocker PIN) increases the security. For those of you that may not know, the PIN is like one of those old BIOS passwords. If you use this protection you won’t even get to the Windows login screen unless you know the PIN. So if you use TPM+PIN you will probably be getting a lot more support tickets as some users forget their PIN, but will security also go up? The answer is the very annoying “it depends”, but this time it depends on the hardware!
There’s a detailed article by our Windows Client Security Senior Product Manager Chris Hallum that you can read here: http://technet.microsoft.com/en-us/security/jj884374.aspx You can also send it to your security team if they insist that TPM+PIN protection is necessary on your new Surface Pro devices 
We’ll get there in a moment.
Now let me just give you the most interesting tidbits of that article:
“many customers end up over deploying pre-boot authentication within their organizations which results in a diminished user experience and increases support costs (for example, a forgotten PIN)”
“So let’s start with a quick refresher on which types of attacks pre-boot authentication is designed to prevent. The short answer is “cold boot attacks” which enable an attacker who has physical access to the device to retrieve the encryption keys which are loaded into system memory when the device is booted. These keys can be accessed using a number of techniques including using a port with unauthenticated Direct Memory Access (for example, Firewire) to dump the system memory to an external device. Another example is taking advantage of data remanence properties of DRAM and SRAM which can enable system memory to remain readable for a short period of time after power has been removed. In this case an attacker could power off the device, remove the memory physically from the device, and potentially get access to the data on the memory chip using another device.”
So here’s what you should retain: PIN is meant to prevent very targeted attacks where an attacker connects to your machine using a DMA port to retrieve secrets from memory, or extracts the memory from your machine and connects it to another device to extract its contents. Now guess what? In Windows tablets such as the Surface Pro there are no DMA ports, and the memory is actually soldered and thus pretty much impossible to remove. We don’t see any good reason to enable the pre-boot authentication on this kind of devices. Do you? That’s why even when your security policy says that TPM+PIN should be enforced, tablets will use TPM only by default.
I still want to enable pre-boot authentication on my device
(or the security guys refuse to listen)
We want users to avoid getting into a situation where their tablet is asking for a PIN, but there is no physical keyboard. In that situation the users would simply not be able to get to the Windows login prompt. They are essentially left with a big paperweight until they’re able to connect to a keyboard.
For that reason Windows will not let you enable Bitlocker with TPM+PIN on tablets unless you enable the following policy:
Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\ Enable use of Bitlocker authentication requiring preboot keyboard input on slates
Once you enable this group policy, the same policy that you have for Desktops/Laptops will apply to tablets as well. This means that if TPM protection is chosen for Laptops TPM only will also be applied to Tablets. But if TPM+PIN is chosen for laptops, then all tablets will also be forced to a pre-boot authentication.
On the other hand, if you don’t enable “Enable use of Bitlocker authentication requiring pre-boot keyboard input on slates” then the devices will not be forced (or allowed!) to use a Bitlocker PIN even if the Bitlocker policy says TPM+PIN.
Here’s in a table format:
Group Policy specifies TPM+PIN | Group Policy specifies TPM only | |
Not“Enable use of Bitlocker authentication requiring preboot keyboard input on slates” | TPM only on tablets TPM+PIN on laptops and desktops | TPM only on tablets TPM only on laptops and desktops |
“Enable use of Bitlocker authentication requiring preboot keyboard input on slates” | TPM+PIN on tablets TPM+PIN on laptops and desktops | TPM only on tablets TPM only on laptops and desktops |
What about Surface Pro 3? Doesn’t it have an Onscreen Keyboards for preboot authentication?
Yes it does! Why? Mostly because some third party encryption technologies require preboot authentications. Even Bitlocker can be set with Password only when the device doesn’t have a TPM chip. Just to clarify, Surface Pro (1, 2 and 3) have TPM chips in most countries.
So how do you enable TPM+PIN on your Surface Pro 3?
- First you need to make sure that the policy mentioned above is set to Enable, and that the Bitlocker policy is to enable TPM+PIN
- Start the encryption using your preferred method (UI, script, MBAM)
Easy, isn’t it?
Just make sure you don’t apply “Enable use of Bitlocker authentication requiring preboot keyboard input on slates” to any tablets that don’t have a preboot onscreen keyboard (e.g. Surface Pro 2) unless you always have a physical keyboard attached to them.
And The Final Result
Now when you boot your Surface Pro 3 and are asked for your Bitlocker PIN just press the keyboard button at the top right hand corner and you will open the onscreen keyboard:
Just remember that this onscreen keyboard is only available on Surface Pro 3 and some third party devices. Not all tablets have this, in case of doubt please check with your OEM.
TPM + PIN technically doesn’t really add security value on tablets like the Surface Pro 3 but if your security team insists that it should be used we definitely have that option for you!
Joao “12345 I’ve got the same combination on my luggage! “ Botto